Background

Currently, Trivy reports lack a unified field to uniquely identify scan targets across different artifact types. While it's technically possible to distinguish artifacts (e.g., container images can be identified using Metadata.ImageID), users need to check different fields depending on the artifact type, which is cumbersome and error-prone.

For example:

• Container images: Check Metadata.ImageID
• Git repositories: Check Metadata.Commit and Metadata.RepoURL
• Other types: No standard identifier available

Proposal

Add a unified ArtifactID field to the Report struct that provides a stable, unique identifier for all artifact types in a consistent way.

Implementation

Container Images

• Use the existing ImageID (config blob hash)
• Format: sha256:...
• Different tags of the same image content will have the same ID

Git Repositories

• Generate SHA256 hash from URL@Commit or Path@Commit combination
• Format: sha256:...
• Same repository at same commit will always have the same ID

Filesystem Scans

• Return empty string (as filesystem paths can vary)

SBOM Scans

• Return empty string for initial implementation
• Future consideration: Use serial number or other unique identifiers from SBOM metadata

Benefits

• Provides a unified field for artifact identification across all artifact types
• Users no longer need to know which Metadata field to check for each artifact type
• Enables easier tracking of the same artifact scanned at different times or with different tags
• Simplifies deduplication and correlation logic
• Maintains backward compatibility with json:",omitempty" tag